Theom Critical Risks

TheomAlerts_CL
 | where priority_s == "P1"

kind: Scheduled
description: |
    "Creates Microsoft Sentinel incidents for critical risk Theom alerts."
status: Available
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Exfiltration
- Impact
- Reconnaissance
triggerOperator: gt
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksCritical.yaml
id: bb9051ef-0e72-4758-a143-80c25ee452f0
version: 1.0.3
alertDetailsOverride:
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
requiredDataConnectors:
- dataTypes:
  - TheomAlerts_CL
  connectorId: Theom
triggerThreshold: 0
queryPeriod: 5m
query: |
  TheomAlerts_CL
   | where priority_s == "P1"  
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: customProps_AssetName_s
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: deepLink_s
relevantTechniques:
- T1592
- T1589
- T1070
- T1552
- T1619
- T1119
- T1560
- T1530
- T1213
- T1001
- T1041
- T1537
- T1485
- T1486
- T1565
name: Theom Critical Risks
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult